Puppet users - Oct 2011 - Reusing host names with puppet and SSL certificates

Hello all,
I''m trying to figure some things out with SSL and would appreciate some
help
or best practices here.

I''m implementing auto scaling over Amazon EC2 for some services I have,
all
of the instances are based on the same AMI and I''m using Puppet to
configure
the hosts when they come up to make sure they have the latest configuration, 
also I''m using some exported resources in order to configure other
instances
that need to use their details.

My auto scaling environment is supposed to be dynamic and go up and down as 
needed, I also need to use host names that will differentiate one host from 
the other and have some ID. Currently when a host comes up it gets an ID 
between 1 and 25 (depends on what''s available) and comes up.

My problem is that sometimes a node goes down, and then a new node comes up 
and takes it''s number (which is alright), but then puppetmaster refuses
to
let it come up because obviously it now has a different SSL certificate than 
the one that was previously up.

Is there a best practice or a solution for this problem? I do need to use 
the same hostnames sometimes for instances that generate new certificates 
when they come up, I''ve been trying to clean the certificates once in a
while for instances that are no longer responding but that didn''t go
very
well and I also understand that I need to restart the master in order for 
that to take effect which I don''t want to do.

Once solution that I thought about is to generate a certificate for each 
hostname and make sure that when an instance comes up it gets the specific 
certificate that was already generated and signed by the master. Is this a 
good idea? Any other thoughts about this?

Thanks,
Galed.

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To view this discussion on the web visit
https://groups.google.com/d/msg/puppet-users/-/8bVpwxZE_-IJ.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

----- Original Message -----
<snip>| 
| Is there a best practice or a solution for this problem? I do need to
| use
| the same hostnames sometimes for instances that generate new
| certificates
| when they come up, I''ve been trying to clean the certificates once in
| a
| while for instances that are no longer responding but that didn''t go
| very
| well and I also understand that I need to restart the master in order
| for
| that to take effect which I don''t want to do.
| 
| Once solution that I thought about is to generate a certificate for
| each
| hostname and make sure that when an instance comes up it gets the
| specific
| certificate that was already generated and signed by the master. Is
| this a
| good idea? Any other thoughts about this?
| 
| Thanks,
| Galed.
| 

I use server generated certificates and copy those certificates to the host upon
re-install.  Works very well for me.

-- 
James A. Peltier
IT Services - Research Computing Group
Simon Fraser University - Burnaby Campus
Phone   : 778-782-6573
Fax     : 778-782-3045
E-Mail  : jpeltier@sfu.ca
Website : http://www.sfu.ca/itservices
          http://blogs.sfu.ca/people/jpeltier
I will do the best I can with the talent I have

-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.

As far as i could see, the Puppet cloud provisionner also generates a random
name and creates a certificate request based on it. Then Puppet client is
run with the certname option, set with this previously generated hostname


2011/10/17 James A. Peltier <jpeltier@sfu.ca>
> ----- Original Message -----
> <snip>|
> | Is there a best practice or a solution for this problem? I do need to
> | use
> | the same hostnames sometimes for instances that generate new
> | certificates
> | when they come up, I''ve been trying to clean the certificates
once in
> | a
> | while for instances that are no longer responding but that
didn''t go
> | very
> | well and I also understand that I need to restart the master in order
> | for
> | that to take effect which I don''t want to do.
> |
> | Once solution that I thought about is to generate a certificate for
> | each
> | hostname and make sure that when an instance comes up it gets the
> | specific
> | certificate that was already generated and signed by the master. Is
> | this a
> | good idea? Any other thoughts about this?
> |
> | Thanks,
> | Galed.
> |
>
> I use server generated certificates and copy those certificates to the host
> upon re-install.  Works very well for me.
>
> --
> James A. Peltier
> IT Services - Research Computing Group
> Simon Fraser University - Burnaby Campus
> Phone   : 778-782-6573
> Fax     : 778-782-3045
> E-Mail  : jpeltier@sfu.ca
> Website : http://www.sfu.ca/itservices
>          http://blogs.sfu.ca/people/jpeltier
> I will do the best I can with the talent I have
>
> --
> You received this message because you are subscribed to the Google Groups
> "Puppet Users" group.
> To post to this group, send email to puppet-users@googlegroups.com.
> To unsubscribe from this group, send email to
> puppet-users+unsubscribe@googlegroups.com.
> For more options, visit this group at
> http://groups.google.com/group/puppet-users?hl=en.
>
>
-- 
You received this message because you are subscribed to the Google Groups
"Puppet Users" group.
To post to this group, send email to puppet-users@googlegroups.com.
To unsubscribe from this group, send email to
puppet-users+unsubscribe@googlegroups.com.
For more options, visit this group at
http://groups.google.com/group/puppet-users?hl=en.